WO2019231215A1 - Dispositif terminal et procédé d'identification d'un ap malveillant à l'aide dudit terminal - Google Patents

Dispositif terminal et procédé d'identification d'un ap malveillant à l'aide dudit terminal Download PDF

Info

Publication number
WO2019231215A1
WO2019231215A1 PCT/KR2019/006389 KR2019006389W WO2019231215A1 WO 2019231215 A1 WO2019231215 A1 WO 2019231215A1 KR 2019006389 W KR2019006389 W KR 2019006389W WO 2019231215 A1 WO2019231215 A1 WO 2019231215A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
malicious
time information
time
terminal device
Prior art date
Application number
PCT/KR2019/006389
Other languages
English (en)
Korean (ko)
Inventor
조정일
권순홍
김현우
송민규
이종성
이중환
정용수
최대성
Original Assignee
삼성전자 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 삼성전자 주식회사 filed Critical 삼성전자 주식회사
Priority to US17/057,848 priority Critical patent/US11457362B2/en
Priority to KR1020207029216A priority patent/KR102378515B1/ko
Priority to CN201980036707.9A priority patent/CN112237017B/zh
Publication of WO2019231215A1 publication Critical patent/WO2019231215A1/fr
Priority to US17/949,711 priority patent/US20230016491A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/73Access point logical identity

Definitions

  • the present disclosure relates to the field of communications. More specifically, the present disclosure relates to a method and apparatus for determining whether an access point (AP) to which a terminal device attempts to access is malicious or normal.
  • AP access point
  • AP access point
  • users are accessing the access point (AP) using their mobile devices anytime, anywhere and using the Internet.
  • users access the AP in a public place such as a hotel, restaurant, airport, etc.
  • there may be a stability problem For example, some hackers are trying to trick users into accessing a malicious AP, and then use information collected through the malicious AP for phishing or collecting sensitive personal information without permission.
  • SSIDs Service Set Identifiers
  • BSSIDs Basic Service Set Identifiers
  • the terminal device according to an embodiment and the identification method of the malicious AP thereby according to the technical problem to prevent the leakage of personal information through the malicious AP.
  • a method of identifying a malicious AP may include: obtaining first performance information related to hardware of the first AP based on a first beacon signal received from a first AP; Comparing the first performance information with second performance information of a second AP previously stored; And determining whether the first AP is a malicious AP based on the comparison result.
  • the terminal device and the method for identifying a malicious AP may determine whether the AP to be accessed is a normal AP or a malicious AP.
  • the terminal device and the identification method of the malicious AP can prevent the leakage of personal information through the malicious AP.
  • the effects that the terminal device and the method for identifying a malicious AP can achieve by the embodiment is not limited to those mentioned above, and other effects not mentioned are described in the following description. It will be clearly understood by those skilled in the art.
  • 1A is a diagram for describing a situation in which a user terminal accesses a malicious AP.
  • 1B is a diagram for explaining another situation in which a user terminal accesses a malicious AP.
  • 1C is a view for explaining another situation in which a user terminal accesses a malicious AP.
  • FIG. 2 is a block diagram illustrating a configuration of a terminal device according to an exemplary embodiment.
  • FIG. 3 is a flowchart illustrating a malicious AP identification method according to an embodiment.
  • FIG. 4 is a flowchart illustrating a malicious AP identification method of a terminal device according to an exemplary embodiment.
  • FIG. 5 is an exemplary diagram illustrating a structure of a beacon signal.
  • FIG. 6 is a flowchart illustrating a malicious AP identification method of a terminal device according to an exemplary embodiment.
  • FIG. 7 is a flowchart illustrating a malicious AP identification method of a terminal device according to an embodiment.
  • FIG. 8 is a diagram illustrating an analysis result of a response message received from a normal AP and a response message received from a malicious AP.
  • FIG. 9 is a diagram illustrating an analysis result of a response message received from a normal AP and a response message received from a malicious AP.
  • FIG. 10 is a flowchart illustrating a malicious AP identification method of a terminal device according to an embodiment.
  • FIG. 11 is a diagram illustrating a result of analyzing time stamp information of beacon signals received from a normal AP and time stamp information of beacon signals received from a malicious AP.
  • a method of identifying a malicious AP may include: obtaining first performance information related to hardware of the first AP based on a first beacon signal received from a first AP; Comparing the first performance information with second performance information of a second AP previously stored; And determining whether the first AP is a malicious AP based on the comparison result.
  • the identification method of the malicious AP may include obtaining first time information associated with the first beacon signal; Comparing the first time information with second time information associated with a second beacon signal of a second AP; And determining whether the first AP is a malicious AP based on the comparison result.
  • the first time information includes first time stamp information included in the first beacon signal and first reception time information of the first beacon signal, and the second time information is included in the second beacon signal.
  • the second time stamp information and the second reception time information of the second beacon signal wherein the determining comprises: a difference value between the first time stamp information and the second time stamp information; If it does not correspond to the difference between the time information and the second reception time information, it may include determining the first AP as a malicious AP.
  • the first AP is an AP to which the terminal device attempts to connect after the connection between the terminal device and the second AP is terminated, and the identification information of the first AP may be the same as the identification information of the second AP. Can be.
  • the comparing may include comparing the first performance information with the second performance information of the second AP received from a server device when the SSID of the first AP is included in a pre-stored SSID list. have.
  • the identification method of the malicious AP may include transmitting a request message including at least one of predetermined identification information and predetermined channel information to the first AP; Receiving a response message received from the first AP in response to the request message; And when the response message includes at least one of the predetermined identification information and predetermined channel information, determining the first AP as a malicious AP.
  • the identification method of the malicious AP is based on the first time information associated with the first beacon signals received up to the n (n is a natural number) from the first AP, the first time information from the n + 1 th Predicting; Comparing the predicted first time information and first time information of first beacon signals received from the n + 1 th time; And determining whether the first AP is a malicious AP based on the comparison result.
  • the predicting may include predicting first time information from the n + 1 th through linear regression analysis.
  • the determining may include: when the difference values between the predicted first time information and the first time information of the first beacon signals received from the n + 1 th time increase or decrease with time, the first time information; And determining the AP as a malicious AP.
  • the identification method of the malicious AP includes: comparing a first arrangement order of information elements in the first beacon signal with a second arrangement order of previously stored information elements; And determining whether the first AP is a malicious AP based on the comparison result.
  • a terminal device may include a memory configured to store one or more instructions; And a processor that executes the one or more instructions stored in the memory, wherein the processor obtains first performance information related to hardware of the first AP based on a first beacon signal received from a first AP, The second performance information of the second AP stored in advance may be compared with the first performance information, and it may be determined whether the first AP is a malicious AP based on the comparison result.
  • the processor acquires first time information associated with the first beacon signal, compares the second time information associated with the second beacon signal of the second AP with the first time information, and based on the comparison result, It may be determined whether the first AP is a malicious AP.
  • the processor transmits a request message including at least one of predetermined identification information and predetermined channel information to the first AP, receives a response message received from the first AP in response to the request message, When at least one of the predetermined identification information and the predetermined channel information is included in the response message, the first AP may be determined to be a malicious AP.
  • the processor predicts first time information from n + 1 th based on first time information associated with first beacon signals received up to nth (n is a natural number) from the first AP, and The predicted first time information and first time information related to the first beacon signals received from the n + 1 th are compared, and based on the comparison result, it may be determined whether the first AP is a malicious AP. have.
  • one component when one component is referred to as “connected” or “connected” with another component, or the like, the one component may be directly connected to or directly connected to the other component, but is specifically reversed. It is to be understood that unless otherwise stated, it may be connected or connected via another component in the middle.
  • each component represented by ' ⁇ unit (unit)', 'module', etc., two or more components are combined into one component or two or more components for each functionalized function May be differentiated into
  • each component to be described below may additionally perform some or all of the functions of other components in addition to the main functions of which they are responsible, and some of the main functions of each of the components may be different. Of course, it may be carried out exclusively by the component.
  • an 'AP (access point)' is a device for mediating a network connection of a terminal device, and may include, for example, a Wi-Fi device.
  • the 'identification information of the AP' may include at least one of a service set identifier (SSID) and a basic service set identifier (BSSID) for identifying the AP.
  • SSID service set identifier
  • BSSID basic service set identifier
  • FIGS. 1A, 1B, and 1C are diagrams for describing a situation in which the user terminal 10 accesses a malicious AP.
  • hackers can steal users' personal information by inducing their terminals 10 to access the malicious AP.
  • the malicious AP 30 when the user terminal 10 is connected to the normal AP 20, the malicious AP 30 having the same identification information as that of the normal AP 20 is the user terminal 10. ) And a Deauthentication packet to the normal AP 20.
  • the user terminal 10 and the normal AP 20 receiving the deauthentication packet release the connection between each other.
  • Most packets transmitted and received between the user terminal 10 and the normal AP 20 are encrypted, but since the Deauthentication packet is not encrypted, the malicious AP 30 sends a false Deauthentication packet to the user terminal 10 and the normal. It can transmit to the AP 20 to release the connection between them.
  • the malicious AP 30 After the connection between the user terminal 10 and the normal AP 20 is released, the malicious AP 30 increases the signal strength so that the user terminal 10 accesses the malicious AP 30 instead of the normal AP 20. do. Since the identification information of the normal AP 20 and the identification information of the malicious AP 30 are the same from the standpoint of the user terminal 10, they cannot distinguish that they are different from each other, and are simply a malicious AP 30 having a larger signal strength. Will be connected.
  • the identification information of the malicious AP 40 is set as identification information of the trusted public AP. Users see the identification information of the malicious AP 40, and the malicious AP 40 is mistaken that the public AP, the user connects the terminal 10 to the malicious AP (40).
  • a malicious AP is run on a computer 50 (eg, laptop, desktop computer, etc.) 50 on a software basis. Users mistake the malicious AP as a normal AP to access the computer 50.
  • a computer 50 eg, laptop, desktop computer, etc.
  • FIG. 2 is a block diagram illustrating a configuration of a terminal device 200 according to an exemplary embodiment.
  • the terminal device 200 may include a memory 210, a communication unit 230, and a control unit 250.
  • the memory 210, the communicator 230, and the controller 250 may be implemented with at least one processor.
  • the controller 250 may execute one or more instructions stored in the memory 210 to perform identification of a malicious AP, which will be described later.
  • the memory 210 may store information for determining whether the first AP to which the terminal device 200 wants to access corresponds to a malicious AP.
  • the first AP is an AP to which the terminal device 200 wants to access and refers to an AP for which it is determined whether it is normal or malicious.
  • the information for determining whether the first AP corresponds to a malicious AP may include, for example, at least one of performance information, time information, location information, and identification information of the second AP corresponding to the normal AP.
  • a method of determining whether the first AP corresponds to a malicious AP based on at least one of performance information, time information, location information, and identification information of the second AP will be described later.
  • the communication unit 230 connects to the first AP and / or the second AP or releases the connection with the first AP and / or the second AP under the control of the controller 250.
  • the communicator 230 may transmit / receive data with the first AP and / or the second AP.
  • the communicator 230 may access the Internet through the first AP and / or the second AP.
  • the communication unit 230 may operate according to, for example, the IEEE 802.11 standard.
  • the controller 250 determines whether the first AP is a malicious AP based on the information stored in the memory 210 and the information received from the first AP, and connects the communication unit 230 to the first AP according to the determination result. To control. If the first AP is a malicious AP, the controller 250 blocks the connection between the communicator 230 and the first AP, and if the first AP is a normal AP, the controller 250 is the communicator 230 and the first AP. It can allow access between APs.
  • the terminal device 200 may include a laptop, a smartphone, a tablet PC, a wearable device, and the like, which can communicate with an external device through the AP, but is not limited thereto.
  • FIG. 3 is a flowchart illustrating a malicious AP identification method of the terminal device 200 according to an embodiment.
  • the controller 250 obtains first performance information related to hardware of the first AP based on a beacon signal received from the first AP to be connected.
  • the performance information of the AP is information on performance exhibited based on the hardware of the AP, and may include, for example, allowed bit rate, coverage of the AP, channel information, power information, and high throughput (HT) performance information. It is not limited to this.
  • the controller 250 compares the first performance information with the second performance information of the second AP previously stored.
  • the second AP refers to an AP determined by the terminal device 200 as a normal AP or confirmed as a normal AP by an external server.
  • the controller 250 may determine whether the first AP is a malicious AP according to the comparison result in operation S320.
  • the controller 250 may determine that the first AP is a normal AP. In addition, the controller 250 may determine that the first AP is a malicious AP when the first performance information does not correspond to the second performance information.
  • the terminal device 200 selects the first AP when the first performance information corresponds to the second performance information. Judging by the normal AP.
  • the controller 250 controls the communication unit 230 to access the first AP.
  • the communicator 230 may communicate with an external device through the first AP. If it is determined that the first AP is malicious, the controller 250 blocks the connection of the first AP by the communication unit 230.
  • the performance information of the AP includes information related to hardware of the AP, and since the beacon signal is generated from firmware of the AP, it is difficult for a hacker to manipulate the performance information. Therefore, in one embodiment, by comparing the performance information of the normal AP and the performance information of the AP to be connected, it is determined whether the AP to be connected is a malicious AP.
  • FIG. 4 is a flowchart illustrating a malicious AP identification method of the terminal device 200 according to an embodiment.
  • the terminal device 200 accesses the second AP 430, not the malicious AP (S410).
  • the terminal device 200 may communicate with an external device, for example, a server, through the second AP 430.
  • the terminal device 200 receives a beacon signal from the second AP 430 (S420), obtains and stores second performance information related to hardware of the second AP 430 from the beacon signal (S430). 4 illustrates that the terminal device 200 receives a beacon signal from the second AP 430 after accessing the second AP 430, but the terminal device 200 is connected to the second AP 430. You can receive beacon signals even before you connect. This is because the beacon signal is a signal broadcast from the AP regardless of whether the terminal device 200 is connected.
  • FIG. 5 is an exemplary diagram illustrating a structure of a beacon signal 500.
  • the beacon signal 500 may include a header and a body.
  • the body includes a timestamp field 510 and an option field 520, and the timestamp field 510 includes time information related to the beacon signal 500, for example, generation time information of the beacon signal 500.
  • the option field 520 includes information elements, which may include the above-described performance information of the AP.
  • the terminal device 200 may store second time information based on the beacon signal of the second AP 430 (S430), where the second time information is It may include at least one of second timestamp information included in the beacon signal of the second AP 430 and second reception time information indicating a reception time of the beacon signal of the second AP 430.
  • the terminal device 200 After storing the second performance information, the terminal device 200 releases the connection with the second AP 430 (S440). As described above, the terminal device 200 may release the connection with the second AP 430 according to the Deauthentication packet received from the first AP 410.
  • the terminal device 200 receives a beacon signal from the first AP 410 to be connected (S450), and the first performance information and the pre-stored second performance information of the first AP 410 obtained from the received beacon signal. Compare (S460).
  • FIG. 3 illustrates that the beacon signal is received from the first AP 410 after the connection between the terminal device 200 and the second AP 430 is released, the terminal device 200 receives the second AP 430.
  • the beacon signal is because the signal is broadcast from the AP regardless of whether the terminal device 200 is connected.
  • the terminal device 200 may obtain first time information from the beacon signal of the first AP 410.
  • the first time information may include at least one of first time stamp information included in a beacon signal of the first AP 410 and first reception time information indicating a reception time of the beacon signal of the first AP 410. .
  • the terminal device 200 determines that the first AP 410 is a normal AP, and accesses the first AP 410 (S470). If the first performance information does not correspond to the second performance information, the terminal device 200 may not access the first AP 410. As described above, when the first AP 410 is the same as the second AP 430, since the first performance information and the second performance information are also the same, the terminal device 200 has the first performance information as the second. In response to the performance information, the first AP 410 is determined as a normal AP.
  • the terminal device 200 may access the first AP 410.
  • whether the first time information corresponds to the second time information may be based on the first time stamp information, the first reception time information, the second time stamp information, and the second reception time information.
  • the terminal device 200 determines the first AP 410. Can be determined as a malicious AP. For example, if the difference value between the first time stamp information and the second time stamp information is not equal to the difference value between the first reception time information and the second reception time information, the terminal device 200 determines that the first AP 410 is the same. ) Can be determined as a malicious AP.
  • the first terminal device 200 may determine that the first time stamp information is the first value.
  • the AP 410 may be determined to be a malicious AP.
  • a difference value between the first time stamp information and the second time stamp information is equal to the first reception time information.
  • the difference between the second reception time information should be the same, but the difference between the two difference values means that the first AP 410 is a malicious AP.
  • the terminal device 200 determines that the first AP 410 is the first AP 410. Can be determined as a malicious AP. For example, if the difference value between the first time stamp information and the first reception time information is not the same as the difference value between the second time stamp information and the second reception time information, the terminal device 200 determines that the first AP 410 is the same. ) Can be determined as a malicious AP.
  • the terminal device 200 determines that the first value is greater than or equal to the first value.
  • the AP 410 may be determined to be a malicious AP.
  • the difference value between the first time stamp information and the first reception time information corresponds to the distance between the terminal device 200 and the first AP 410, and the difference value between the second time stamp information and the second reception information is the terminal device.
  • the terminal device 200 may determine the first AP 410 as a malicious AP.
  • the terminal device 200 determines whether the first AP 410 is a malicious AP based on at least one of a comparison result of the first performance information and the second performance information and a comparison result of the first time information and the second time information. You can judge.
  • FIG. 6 is a flowchart illustrating a malicious AP identification method of the terminal device 200 according to an embodiment.
  • the server 450 stores second performance information of the second APs corresponding to the normal AP (S610).
  • the server 450 may further store second location information and second BSSIDs of the second APs.
  • the server 450 may receive and store at least one of the second performance information, the second location information, and the second BSSIDs of the second APs from user terminals connected to the second APs.
  • the second location information may include GPS coordinate information indicating the installation location of the second AP, but is not limited thereto.
  • the terminal device 200 receives the second performance information of the second APs from the server 450 (S620).
  • the terminal device 200 may further receive second location information and second BSSIDs of the second APs.
  • the terminal device 200 may receive the SSID list of the second APs from the server 450.
  • the terminal device 200 receives a beacon signal from the first AP 410 to be connected (S630), and obtains first performance information of the first AP 410 from the beacon signal.
  • the terminal device 200 may further obtain first location information and first BSSID of the first AP 410.
  • the first location information may include GPS coordinate information indicating the installation location of the first AP 410, but is not limited thereto.
  • the terminal device 200 compares the first performance information with the second performance information (S640), and connects to the first AP 410 according to the comparison result (S650).
  • the terminal device 200 may access the first AP 410 when the first performance information corresponds to the second performance information. If the first performance information does not correspond to the second performance information, the terminal device 200 may not access the first AP 410.
  • the terminal device 200 may not access the first AP 410 if at least one of the first location information and the first BSSID does not correspond to at least one of the second location information and the second BSSID. have.
  • the terminal device 200 if any one of the first performance information, the first location information and the first BSSID does not correspond to the second performance information, the second location information and the second BSSID first AP 410 may not be connected.
  • the embodiment shown in FIG. 6 may be valid when the first AP 410 masquerades as a public AP.
  • the malicious AP disguised as the public AP may have the SSID of the public AP
  • the terminal device 200 when the SSID of the first AP 410 is included in the SSID list of the public AP, the server 450 It is possible to determine whether the first AP 410 is a malicious AP by comparing the performance information of the public AP received from the performance information of the first AP (410).
  • FIG. 7 is a flowchart illustrating a malicious AP identification method of the terminal device 200 according to an embodiment.
  • the embodiment related to FIG. 7 and FIG. 10 to be described later may be effective for blocking access to a malicious AP implemented by the software described with reference to FIG. 1C.
  • the terminal device 200 transmits a request message (eg, a probe request packet) to the first AP 410 (S710).
  • the terminal device 200 may include at least one of identification information (eg, SSID of the terminal device 200) and channel information in the request message.
  • the number of identification information included in the request message may be one or more, and the number of channel information included in the request message may be one or more.
  • the identification information and the channel information included in the request message may be fake information. In other words, the identification message and the channel information may be included in the request message, not the actual identification information of the terminal device 200 and the channel information actually used by the terminal device 200.
  • the terminal device 200 receives a response message (for example, a probe response packet) as a response to the request message from the first AP 410 (S720), and at least one of identification information and channel information included in the response message.
  • a response message for example, a probe response packet
  • the terminal device 200 blocks the connection to the first AP 410 and identifies the identification information and the channel information included in the request message. If is not included in the response message may access to the first AP (410) (S740).
  • a software-based malicious AP there may be some error in the response message since the response message is not generated by the firmware. For example, a certain malicious software-based AP may generate a response message using the request message received from the terminal device 200 as it is. Therefore, in one embodiment, when the identification information and the channel information included in the request message are also included in the response message, the first AP 410 is determined to be a malicious AP.
  • the terminal device 200 determines the first AP 410 as a malicious AP and determines the first AP 410. You can also block the connection to).
  • the response message should include identification information and channel information of the AP.
  • the malicious AP uses the request message to generate the response message, the response message includes a plurality of identification information or a plurality of identification information. This is because channel information may be included.
  • FIG. 8 and 9 illustrate results of analysis of a response message received from a normal AP and a response message received from a malicious AP.
  • FIG. 8 (a) shows the analysis result of the response message received from the normal AP
  • FIG. 8 (b) The analysis result of the response message received from the malicious AP is shown. Referring to FIG. 8, it can be seen that the SSID 800 of 'test' is included in the response message received from the malicious AP.
  • FIG. 9 shows an analysis result of the response message received from the normal AP
  • FIG. b shows the analysis result of the response message received from the malicious AP.
  • channel information 900 of '6' and '49' is included in the response message received from the malicious AP.
  • Channel information '49' is fake information not used in the IEEE 802.11 standard.
  • the response message received from the malicious AP includes the 'test' SSID and the '49' channel information included in the request message.
  • FIG. 10 is a flowchart illustrating a malicious AP identification method of the terminal device 200 according to an embodiment.
  • the terminal device 200 receives an n (n is a natural number) beacon signal from the first AP 410 (S1010).
  • N may be a natural number greater than one.
  • N may refer to an order in which the terminal device 200 receives beacon signals broadcast by the first AP 410.
  • the terminal device 200 predicts first time information from the n + 1 th based on the first time information associated with the beacon signals received up to the n th (S1020).
  • the first time information may include first time stamp information included in the beacon signal or first reception time information indicating a reception time of the beacon signal. Since the time stamp values of the periodically broadcast beacon signals increase with time, the terminal device 200 based on the first time information associated with the beacon signal received up to the nth time thereafter, and then the first time information thereafter. Can predict them.
  • the terminal device 200 may predict the first time information through linear regression analysis. Since the time stamp values included in the beacon signals increase linearly with time, various algorithms that can predict future time stamp values may be used.
  • the terminal device 200 receives the n + 1th beacon signal and the subsequent beacon signal from the first AP 410 (S1030).
  • the terminal device 200 compares the first time information associated with the n + 1th beacon signal and subsequent beacon signals with the predicted first time information (S1040).
  • the first AP 410 When the difference value between the predicted first time information and the first time information of the beacon signals received from the n + 1 th time increases or decreases with time, the first AP 410. Can be determined as a malicious AP.
  • the beacon signal since the beacon signal is generated by the firmware that controls the hardware in the case of a normal AP, the beacon signal generation period or time stamp values are accurate, but in the case of a software-based malicious AP, the beacon signal is generated by an application. Therefore, there is a high probability that an error occurs in the generation cycle or time stamp values.
  • an application for generating a beacon signal is driven through the computer's CPU, RAM, etc., if the computer's CPU, RAM, etc. are also involved in the execution of other application applications, the beacon signal of the application application Errors are likely to occur in the generation operation and the setting operation of the time stamp value.
  • FIG. 11 is a diagram illustrating a result of analyzing time stamp information of beacon signals received from a normal AP and time stamp information of beacon signals received from a malicious AP.
  • the difference between the predicted time stamp values and the actual time stamp values tends to be constant with time, but in the case of the malicious AP as shown in FIG.
  • the difference between the time stamp values and the actual time stamp values may tend to increase with time.
  • the slope of the difference between the predicted time stamp values and the actual time stamp values is 0, but in the case of the malicious AP as shown in FIG.
  • the slope of the difference values between the predicted time stamp values and the actual time stamp values may be greater than zero or less than zero.
  • the terminal device 200 accesses the first AP 410 (S1050).
  • the first AP 410 determines the first AP 410. Access to the AP 410 may be blocked.
  • the terminal device 200 is gradually getting a difference value between the first time information of each of the plurality of beacon signals received from the first AP 410 and the first time information of the immediately preceding beacon signal over time. If the number increases or decreases, the first AP 410 may be determined to be a malicious AP. For example, the difference values between the first time information of the i-th beacon signal and the first time information of the i-th beacon signal should be constant with time, but if the difference values gradually increase or decrease, the first time information may vary. The AP 410 can be determined as a malicious AP.
  • the terminal device 200 compares a first arrangement order of information elements in the beacon signal received from the first AP 410 with a second arrangement order of previously stored information elements, If the first deployment order corresponds to the second deployment order, the first AP 410 may be determined to be a malicious AP.
  • the software-based malicious AP includes the information elements in the beacon signal in the order set by the software, and the terminal device 200 stores in advance the order in which the software-based malicious AP arranges the information elements, and the first AP 410.
  • the first AP 410 determines whether the first AP 410 is a software-based malicious AP by comparing the first arrangement order of the information elements in the beacon signal of FIG.
  • the embodiment shown in FIG. 7 corresponds to an active probing method in which the terminal device 200 transmits a request message to the first AP 410.
  • the embodiment shown in FIG. 10 may correspond to a passive probing method for analyzing a beacon signal received from the first AP 410.
  • the terminal device 200 may be configured by the first AP 410 according to the embodiments shown in FIGS. 7 and 10. It can also determine whether it is a malicious AP. For example, when the first AP 410 is determined to be a normal AP according to the active probing method, and the first AP 410 is determined to be a normal AP according to the passive probing method, the terminal device 200 may determine the first AP. The AP 410 may finally be determined as a normal AP. When the first AP 410 is determined to be a malicious AP according to one of an active probing method and a passive probing method, the terminal device 200 may finally determine the first AP 410 as a malicious AP.
  • the first AP 410 may determine whether the first AP 410 is a malicious AP according to at least one of the embodiments shown in FIG.
  • the first AP 410 when the first AP 410 is determined to be a normal AP according to the embodiment shown in FIG. 4, the embodiment shown in FIG. 7, and the embodiment shown in FIG. 1 AP 410 may finally be determined as a normal AP.
  • the terminal device 200 determines that the first AP 410 is a malicious AP according to any one of the embodiment shown in FIG. 4, the embodiment shown in FIG. 7, and the embodiment shown in FIG. 10, The first AP 410 may be finally determined to be a malicious AP.
  • the terminal device 200 may be configured when all of the first AP 410 is determined to be a normal AP according to the embodiment illustrated in FIG. 6, the embodiment illustrated in FIG. 7, and the embodiment illustrated in FIG. 10. 1 AP 410 may finally be determined as a normal AP.
  • the terminal device 200 determines that the first AP 410 is a malicious AP according to any one of the embodiment shown in FIG. 6, the embodiment shown in FIG. 7, and the embodiment shown in FIG. 10, The first AP 410 may be finally determined to be a malicious AP.
  • the above-described embodiments of the present disclosure can be written as a program that can be executed in a computer, and the created program can be stored in a medium.
  • the medium may be to continue to store a computer executable program, or to temporarily store for execution or download.
  • the medium may be a variety of recording means or storage means in the form of a single or several hardware combined, not limited to a medium directly connected to any computer system, it may be distributed on the network.
  • Examples of the medium include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, And ROM, RAM, flash memory, and the like, configured to store program instructions.
  • examples of other media may include a recording medium or a storage medium managed by an app store that distributes an application, a site that supplies or distributes various software, a server, or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Un mode de réalisation de l'invention concerne un procédé d'identification d'un AP malveillant consistant : à acquérir des premières informations de performance relatives au matériel d'un premier AP en fonction d'un premier signal de balise reçu en provenance du premier AP ; à comparer des secondes informations de performance préenregistrées d'un second AP aux premières informations de performance ; et à déterminer si le premier AP constitue un AP malveillant en fonction du résultat de comparaison.
PCT/KR2019/006389 2018-05-28 2019-05-28 Dispositif terminal et procédé d'identification d'un ap malveillant à l'aide dudit terminal WO2019231215A1 (fr)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US17/057,848 US11457362B2 (en) 2018-05-28 2019-05-28 Terminal device and method for identifying malicious AP by using same
KR1020207029216A KR102378515B1 (ko) 2018-05-28 2019-05-28 단말 장치 및 이에 의한 악성 ap의 식별 방법
CN201980036707.9A CN112237017B (zh) 2018-05-28 2019-05-28 终端设备以及通过使用该终端设备识别恶意ap的方法
US17/949,711 US20230016491A1 (en) 2018-05-28 2022-09-21 Terminal device and method for identifying malicious ap by using same

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862677117P 2018-05-28 2018-05-28
US62/677,117 2018-05-28

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US17/057,848 A-371-Of-International US11457362B2 (en) 2018-05-28 2019-05-28 Terminal device and method for identifying malicious AP by using same
US17/949,711 Continuation US20230016491A1 (en) 2018-05-28 2022-09-21 Terminal device and method for identifying malicious ap by using same

Publications (1)

Publication Number Publication Date
WO2019231215A1 true WO2019231215A1 (fr) 2019-12-05

Family

ID=68697061

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/006389 WO2019231215A1 (fr) 2018-05-28 2019-05-28 Dispositif terminal et procédé d'identification d'un ap malveillant à l'aide dudit terminal

Country Status (4)

Country Link
US (2) US11457362B2 (fr)
KR (1) KR102378515B1 (fr)
CN (1) CN112237017B (fr)
WO (1) WO2019231215A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11239874B2 (en) * 2020-01-30 2022-02-01 Deeyook Location Technologies Ltd. System, apparatus, and method for providing wireless communication and a location tag
US11432152B2 (en) 2020-05-04 2022-08-30 Watchguard Technologies, Inc. Method and apparatus for detecting and handling evil twin access points
CN116156500A (zh) * 2021-11-23 2023-05-23 大唐移动通信设备有限公司 设备鉴权方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060200862A1 (en) * 2005-03-03 2006-09-07 Cisco Technology, Inc. Method and apparatus for locating rogue access point switch ports in a wireless network related patent applications
US20070242610A1 (en) * 2002-03-29 2007-10-18 Miles Wu Detecting a counterfeit access point in a wireless local area network
US20140376533A1 (en) * 2013-06-21 2014-12-25 Kabushiki Kaisha Toshiba Wireless communication apparatus and wireless communication system
KR20150028139A (ko) * 2013-09-05 2015-03-13 숭실대학교산학협력단 로그 ap 탐지 시스템 및 방법
US20170126705A1 (en) * 2015-10-29 2017-05-04 Mojtaba Mojy Mirashrafi Wireless hotspot attack detection

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7069024B2 (en) * 2003-10-31 2006-06-27 Symbol Technologies, Inc. System and method for determining location of rogue wireless access point
US7768960B1 (en) * 2004-07-20 2010-08-03 Atheros Communications, Inc. Efficient communication channel survey
US8782745B2 (en) 2006-08-25 2014-07-15 Qwest Communications International Inc. Detection of unauthorized wireless access points
CN101277229A (zh) * 2008-05-26 2008-10-01 杭州华三通信技术有限公司 一种非法设备的检测方法和无线客户端
WO2010030950A2 (fr) * 2008-09-12 2010-03-18 University Of Utah Research Foundation Procédé et système de détection de points d'accès sans fil non autorisés en utilisant des décalages d'horloge
WO2012091529A2 (fr) 2010-12-30 2012-07-05 (주)노르마 Terminal
US8655312B2 (en) * 2011-08-12 2014-02-18 F-Secure Corporation Wireless access point detection
CN103634270B (zh) * 2012-08-21 2017-06-16 中国电信股份有限公司 识别接入点合法性的方法、系统与接入点鉴别服务器
KR101953547B1 (ko) * 2012-11-26 2019-03-04 한국전자통신연구원 보안 이벤트를 이용한 모바일 단말의 관리 제어 방법 및 그 장치
CN103856957B (zh) * 2012-12-04 2018-01-12 航天信息股份有限公司 探测无线局域网中仿冒ap的方法和装置
KR102107132B1 (ko) * 2013-12-05 2020-05-06 삼성전자주식회사 전자 장치의 억세스 포인트 접속 방법 및 그 전자 장치
WO2015187730A1 (fr) * 2014-06-02 2015-12-10 Bastille Networks, Inc. Detection et attenuation electromagnetique de menace en internet des objets
US20160164889A1 (en) * 2014-12-03 2016-06-09 Fortinet, Inc. Rogue access point detection
WO2017131963A1 (fr) * 2016-01-29 2017-08-03 Acalvio Technologies, Inc. Utilisation de réseaux à haute interaction pour renseignement de menace ciblé
CN107172006B (zh) * 2017-03-22 2020-06-26 深信服科技股份有限公司 检测无线网络恶意性的方法及装置
KR101999148B1 (ko) * 2017-07-28 2019-07-11 (주)씨드젠 로그 ap 탐지 시스템 및 방법과, 이를 위한 사용자 단말 및 컴퓨터 프로그램
US10911956B2 (en) * 2017-11-10 2021-02-02 Comcast Cable Communications, Llc Methods and systems to detect rogue hotspots

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070242610A1 (en) * 2002-03-29 2007-10-18 Miles Wu Detecting a counterfeit access point in a wireless local area network
US20060200862A1 (en) * 2005-03-03 2006-09-07 Cisco Technology, Inc. Method and apparatus for locating rogue access point switch ports in a wireless network related patent applications
US20140376533A1 (en) * 2013-06-21 2014-12-25 Kabushiki Kaisha Toshiba Wireless communication apparatus and wireless communication system
KR20150028139A (ko) * 2013-09-05 2015-03-13 숭실대학교산학협력단 로그 ap 탐지 시스템 및 방법
US20170126705A1 (en) * 2015-10-29 2017-05-04 Mojtaba Mojy Mirashrafi Wireless hotspot attack detection

Also Published As

Publication number Publication date
CN112237017A (zh) 2021-01-15
US20210204135A1 (en) 2021-07-01
KR102378515B1 (ko) 2022-03-24
CN112237017B (zh) 2024-04-12
US11457362B2 (en) 2022-09-27
KR20200126427A (ko) 2020-11-06
US20230016491A1 (en) 2023-01-19

Similar Documents

Publication Publication Date Title
WO2014081205A1 (fr) Système de détection d'ap illégaux et procédé de détection associé
WO2019231215A1 (fr) Dispositif terminal et procédé d'identification d'un ap malveillant à l'aide dudit terminal
WO2021182667A1 (fr) Système de prévention d'intrusion sans fil, système de réseau sans fil le comprenant, et procédé pour faire fonctionner un système de réseau sans fil
WO2017091047A1 (fr) Procédé de blocage de connexion dans un système de prévention d'intrusion sans fil et dispositif associé
WO2016114601A1 (fr) Procédé pour service de notification de catastrophe ne nécessitant pas de collecte d'informations de localisation, et serveur de notification de catastrophe et système d'application associés
WO2012053807A1 (fr) Procédé et appareil pour partager une connexion internet sur la base d'une configuration automatique d'une interface réseau
WO2012044072A2 (fr) Procédé d'attribution de clé utilisateur dans un réseau convergent
WO2016043388A1 (fr) Serveur de gestion de balise pour la lutte anti-contrefaçon
WO2014189262A1 (fr) Méthode d'authentification de terminal d'utilisateur d'un appareil point d'accès
WO2016088970A1 (fr) Appareil électronique et son procédé de commande
WO2018000641A1 (fr) Procédé de transfert d'esim, appareil de commutation et terminal
KR20120039734A (ko) 무선 네트워크 고장들의 진단 및 해결
WO2014010883A1 (fr) Dispositif et procédé d'accès à un réseau sans fil en tenant compte d'une bande de radiofréquences
WO2022255619A1 (fr) Système de prévention d'intrusion sans fil et son procédé de fonctionnement
WO2021118175A1 (fr) Dispositif et procédé de génération de séquence d'estampille temporelle brouillée (sts) dans un système de communication à ultralarge bande (ulb)
WO2021261883A1 (fr) Procédé de détection d'une caméra cachée à l'aide d'un routeur sans fil et système associé
WO2013089349A1 (fr) Appareil et procédé d'identification d'un fournisseur de réseau sans fil dans un système de communication sans fil
WO2014157826A1 (fr) Système et procédé de blocage d'attaque de code malveillant basé sur dispositif intelligent
WO2015030558A1 (fr) Procédé et appareil permettant de rechercher un point d'accès dans un système de communication sans fil
WO2018000790A1 (fr) Procédé et appareil de resélection de cellule pour un terminal mobile, et terminal mobile
WO2013055037A1 (fr) Système et procédé de commande d'authentification basée sur des informations de localisation
WO2017209461A1 (fr) Procédé et appareil pour apparier un dispositif client et un point d'accès dans un réseau local sans fil
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé
WO2012148029A1 (fr) Procédé permettant de partager un dispositif d'accès sans fil entre des utilisateurs d'une communauté et système qui utilise ce dernier
WO2023017952A1 (fr) Dispositif de détection, système de prévention d'intrusion sans fil comprenant un dispositif de détection, et son procédé de fonctionnement

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19812382

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20207029216

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19812382

Country of ref document: EP

Kind code of ref document: A1